docs/plans/agent-native/003-ai-safety-checkpoint.md
The AI safety checkpoint (packages/migrate/src/utils/ai-safety.ts) blocks db drop,
db push --force-reset, and migrate reset when an AI agent is detected, unless
PRISMA_USER_CONSENT_FOR_DANGEROUS_AI_ACTION carries the user's consent. The marker
modernization is done in PR #29684
(aqrln/ai-safety-modern-agents, in review). This task tracks landing it plus small
follow-ups that tie the checkpoint into the rest of the agent-native work.
node:fs mocks.main currently carries only the older marker set (Claude Code, Gemini/Qwen, Cursor, Aider,
Replit, Codex).prisma mcp (packages/cli/src/mcp/MCP.ts) exposes a
migrate-reset tool that shells out to migrate reset --force. When the MCP server is
launched by an agent (the only realistic case), the agent's env markers are inherited by
the child process, so the checkpoint fires inside the MCP tool call. Verify this with a
test, and make sure the checkpoint's error text renders usefully through the MCP tool
result (the agent must see the consent instructions, not a truncated stderr). Adjust the
tool description to mention the consent protocol.prisma-cli skill (and the troubleshooting
skill, task 006) must describe the checkpoint: which commands are gated, why, and that the
correct response is to stop and ask the human — not to hunt for bypasses. An agent that has
read the skill behaves better at the checkpoint than one that meets it cold.@vercel/detect-agent (rationale in the comment above
agentMatchers).db execute or other commands that can be destructive but are
general-purpose: the current scope (commands whose purpose is data destruction) keeps the
false-positive rate at zero. Revisit only with evidence of real incidents.prisma mcp migrate-reset tool and
that the consent instructions survive the MCP transport.prisma-cli (and task 006's skill).